cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache CXF Documentation > JAX-RS XML Security
Date Tue, 21 Feb 2012 11:32:00 GMT
<html>
<head>
    <base href="https://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/2042/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security">JAX-RS
XML Security</a></h2>
    <h4>Page <b>edited</b> by             <a href="https://cwiki.apache.org/confluence/display/~coheigea@apache.org">Colm
O hEigeartaigh</a>
    </h4>
        <br/>
                         <h4>Changes (2)</h4>
                                 
    
<div id="page-diffs">
                    <table class="diff" cellpadding="0" cellspacing="0">
    
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >&lt;ds:Signature xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;&gt;
<br> &lt;!--  <br></td></tr>
            <tr><td class="diff-changed-lines" >Enveloped/embedded SAML Assertion
XML Signature is omitted for <span class="diff-changed-words">bre<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">w</span><span
class="diff-added-chars"style="background-color: #dfd;">v</span>ity</span>
<br></td></tr>
            <tr><td class="diff-unchanged" >    See the JAX-RS SAML section for
more info <br> --&gt; <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" >        &lt;ds:KeyInfo&gt;
<br>            &lt;ds:X509Data&gt; <br></td></tr>
            <tr><td class="diff-changed-lines" >&lt;ds:X509Certificate&gt;&lt;!--
Omitted for <span class="diff-changed-words">bre<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">w</span><span
class="diff-added-chars"style="background-color: #dfd;">v</span>ity</span>
--&gt;&lt;/ds:X509Certificate&gt; <br></td></tr>
            <tr><td class="diff-unchanged" >           &lt;/ds:X509Data&gt;
<br>        &lt;/ds:KeyInfo&gt; <br></td></tr>
            <tr><td class="diff-snipped" >...<br></td></tr>
    
            </table>
    </div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <p><span style="font-size:2em;font-weight:bold"> JAX-RS: XML Security
</span></p>


<div>
<ul>
    <li><a href='#JAX-RSXMLSecurity-Introduction'>Introduction</a></li>
    <li><a href='#JAX-RSXMLSecurity-Mavendependencies'>Maven dependencies</a></li>
    <li><a href='#JAX-RSXMLSecurity-XMLSignature'>XML Signature</a></li>
<ul>
    <li><a href='#JAX-RSXMLSecurity-Envelopedsignatures'>Enveloped signatures</a></li>
    <li><a href='#JAX-RSXMLSecurity-Envelopingsignatures'>Enveloping signatures</a></li>
    <li><a href='#JAX-RSXMLSecurity-Detachedsignatures'>Detached signatures</a></li>
    <li><a href='#JAX-RSXMLSecurity-Customizingthesignature'>Customizing the signature</a></li>
</ul>
    <li><a href='#JAX-RSXMLSecurity-XMLEncryption'>XML Encryption</a></li>
<ul>
    <li><a href='#JAX-RSXMLSecurity-Customizingtheencryption'>Customizing the
encryption</a></li>
</ul>
    <li><a href='#JAX-RSXMLSecurity-Interoperability'>Interoperability</a></li>
</ul></div>

<h1><a name="JAX-RSXMLSecurity-Introduction"></a>Introduction</h1>

<p>CXF 2.5.0 introduces an initial support for securing JAX-RS clients and endpoints
with <a href="http://www.w3.org/TR/xmldsig-core/" class="external-link" rel="nofollow">XML
Signature</a> and <a href="http://www.w3.org/TR/xmlenc-core/" class="external-link"
rel="nofollow">XML Encryption</a>. <br/>
This is a work in progress and the enhancements will be applied regularly. Support for the
alternative signature and encryption technologies will also be provided in due time.</p>

<h1><a name="JAX-RSXMLSecurity-Mavendependencies"></a>Maven dependencies</h1>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;dependency&gt;</span>
  <span class="code-tag">&lt;groupId&gt;</span>org.apache.cxf<span
class="code-tag">&lt;/groupId&gt;</span>
  <span class="code-tag">&lt;artifactId&gt;</span>cxf-rt-rs-security-xml<span
class="code-tag">&lt;/artifactId&gt;</span>
  <span class="code-tag">&lt;version&gt;</span>2.5.2<span class="code-tag">&lt;/version&gt;</span>
<span class="code-tag">&lt;/dependency&gt;</span>
</pre>
</div></div>

<h1><a name="JAX-RSXMLSecurity-XMLSignature"></a>XML Signature</h1>

<p><a href="http://www.w3.org/TR/xmldsig-core/" class="external-link" rel="nofollow">XML
Signature</a> defines 3 types of signatures: enveloped, enveloping and detached. All
the three types are supported by CXF JAX-RS.</p>

<p><b>New</b> Starting from CXF 2.5.2 it is also possible to add XML Signatures
on the server side and get them validated on the client side.</p>


<h2><a name="JAX-RSXMLSecurity-Envelopedsignatures"></a>Enveloped signatures</h2>

<p>Payload:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;Book ID=<span class="code-quote">"4bd59819-7b78-47a5-bb61-cc08348e9d48"</span>&gt;</span>
   <span class="code-tag">&lt;id&gt;</span>126<span class="code-tag">&lt;/id&gt;</span>
   <span class="code-tag">&lt;name&gt;</span>CXF<span class="code-tag">&lt;/name&gt;</span>

   <span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span
class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
      <span class="code-tag">&lt;ds:SignedInfo&gt;</span>
         <span class="code-tag">&lt;ds:CanonicalizationMethod Algorithm=<span
class="code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</span>/&gt;</span>
         <span class="code-tag">&lt;ds:SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/&gt;</span>
         <span class="code-tag">&lt;ds:Reference URI=<span class="code-quote">"#4bd59819-7b78-47a5-bb61-cc08348e9d48"</span>&gt;</span>
           <span class="code-tag">&lt;ds:Transforms&gt;</span>
             <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#enveloped-signature"</span>/&gt;</span>
             <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/&gt;</span>
           <span class="code-tag">&lt;/ds:Transforms&gt;</span>
           <span class="code-tag">&lt;ds:DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/&gt;</span>
           <span class="code-tag">&lt;ds:DigestValue&gt;</span>eFduzs6Cg1/Wd6jagUmr8vRYxHY=<span
class="code-tag">&lt;/ds:DigestValue&gt;</span>
         <span class="code-tag">&lt;/ds:Reference&gt;</span>
      <span class="code-tag">&lt;/ds:SignedInfo&gt;</span>
<span class="code-tag">&lt;ds:SignatureValue&gt;</span>DLD+wU85G+Q+H/SNoMr1I7tOCAZAjd3lYE84sBGU5tuMtzbwxKOIgg10g2F1SUbpujy1CZZ9BPkQNA+gA1CH4FE3uiBzp3DDSVv6o5l6Q76Ci0XI28ylO7O1OCY+q2nbP0WtERFWOn9f9nniVKbduz6YQHjv6cNLd8pf4+k2U3g=<span
class="code-tag">&lt;/ds:SignatureValue&gt;</span>

       <span class="code-tag">&lt;ds:KeyInfo&gt;</span>
         <span class="code-tag">&lt;ds:X509Data&gt;</span><span class="code-tag">&lt;ds:X509Certificate&gt;</span>MIICGjCCAYOgAwIBAgIESVRgATANBgkqhkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3JnMQwwCgYDVQQLEwNlbmcxDjAMBgNVBAMTBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAzMTQwN1owMzETMBEGA1UEChMKYXBhY2hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQQDEwVhbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYDVR0SBBowGIIWTk9UX0ZPUl9QUk9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQEFBQADgYEAhLwkm+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9h3s0nxQ2TewzeR/k7gmgV2sI483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEhJakFtKBP++EC9rNNpZnqqHxx3qb2tW25qRtBzDmK921gg9PMomMc7uqRQ=<span
class="code-tag">&lt;/ds:X509Certificate&gt;</span>
        <span class="code-tag">&lt;/ds:X509Data&gt;</span>

        <span class="code-tag">&lt;ds:KeyValue&gt;</span>
          <span class="code-tag">&lt;ds:RSAKeyValue&gt;</span>
             <span class="code-tag">&lt;ds:Modulus&gt;</span>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=<span
class="code-tag">&lt;/ds:Modulus&gt;</span>
             <span class="code-tag">&lt;ds:Exponent&gt;</span>AQAB<span
class="code-tag">&lt;/ds:Exponent&gt;</span>
          <span class="code-tag">&lt;/ds:RSAKeyValue&gt;</span>
        <span class="code-tag">&lt;/ds:KeyValue&gt;</span>
       <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
     <span class="code-tag">&lt;/ds:Signature&gt;</span>

<span class="code-tag">&lt;/Book&gt;</span>
</pre>
</div></div>

<p>Note that the Book root element is signed including its name and id children, and
a signature ds:Reference links to Book. </p>

<p>Server Configuration fragment:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">

<span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span>
class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/&gt;</span>
<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/&gt;</span>
<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigOutHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"</span>/&gt;</span>

<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/xmlsig"</span>&gt;</span>

    <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
      <span class="code-tag">&lt;ref bean=<span class="code-quote">"serviceBean"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
    &lt;!-- 
       Required for validating the in signature and removing it from the payload.
       It also persists the signature on the current Message which can be disabled.
    --&gt;
    <span class="code-tag">&lt;jaxrs:providers&gt;</span>
      <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlSigHandler"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:providers&gt;</span> 
    &lt;!-- 
       Required for adding a new signature to the outbound payload
    --&gt;
    <span class="code-tag">&lt;jaxrs:outInterceptors&gt;</span>
          <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlSigOutHandler"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:outInterceptors&gt;</span>

    <span class="code-tag">&lt;jaxrs:properties&gt;</span>
          &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>

                  value=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>/&gt;
          &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>

                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>/&gt;
    <span class="code-tag">&lt;/jaxrs:properties&gt;</span>
<span class="code-tag">&lt;/jaxrs:server&gt;</span>

</pre>
</div></div>

<p>Note that org.apache.cxf.rs.security.xml.XmlSigInHandler is responsible for validating
the signature attached to the inbound payload and is capable of processing all 3 types of
XML Signature. </p>

<p>org.apache.cxf.rs.security.xml.XmlSigOutInterceptor is responsible for adding a new
signature to the outbound payload. </p>


<p>Client code:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">

<span class="code-object">String</span> address = <span class="code-quote">"https:<span
class="code-comment">//localhost:8080/xmlsig/bookstore/books"</span>;
</span>JAXRSClientFactoryBean bean = <span class="code-keyword">new</span>
JAXRSClientFactoryBean();
bean.setAddress(address);

<span class="code-comment">// setup properties
</span>Map&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt;
properties = <span class="code-keyword">new</span> HashMap&lt;<span class="code-object">String</span>,
<span class="code-object">Object</span>&gt;();
properties.put(<span class="code-quote">"ws-security.callback-handler"</span>,

               <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>);
properties.put(<span class="code-quote">"ws-security.signature.username"</span>,
<span class="code-quote">"alice"</span>);
properties.put(<span class="code-quote">"ws-security.signature.properties"</span>,

               <span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>);
bean.setProperties(properties);

<span class="code-comment">// add the interceptor which will add a signature to the
outbound payload
</span>XmlSigOutInterceptor sigOutInterceptor = <span class="code-keyword">new</span>
XmlSigOutInterceptor();
bean.getOutInterceptors().add(sigOutInterceptor);

<span class="code-comment">// add the interceptor which will validate a signature in
the inbound payload
</span>XmlSigInInterceptor sigInInterceptor = <span class="code-keyword">new</span>
XmlSigInInterceptor();
bean.getInInterceptors().add(sigInInterceptor);


<span class="code-comment">// load a bus with HTTPS configuration:
</span>SpringBusFactory bf = <span class="code-keyword">new</span> SpringBusFactory();
Bus bus = bf.createBus(configLocation);
bean.setBus(bus);
        
<span class="code-comment">// use WebClient (or proxy) as usual
</span>WebClient wc = bean.createWebClient();
Book book = wc.post(<span class="code-keyword">new</span> Book(<span class="code-quote">"CXF"</span>,
126L), Book.class);
</pre>
</div></div>

<p>Spring configuration can also be used.<br/>
Please also check <a href="/confluence/display/CXF20DOC/Secure+JAX-RS+Services" title="Secure
JAX-RS Services">Secure JAX&#45;RS Services</a> on how HTTPS can be configured
from Spring.</p>

<h2><a name="JAX-RSXMLSecurity-Envelopingsignatures"></a>Enveloping signatures</h2>

<p>Payload:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span
class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
   <span class="code-tag">&lt;ds:SignedInfo&gt;</span>
      <span class="code-tag">&lt;ds:CanonicalizationMethod Algorithm=<span class="code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</span>/&gt;</span>
      <span class="code-tag">&lt;ds:SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/&gt;</span>
      <span class="code-tag">&lt;ds:Reference URI=<span class="code-quote">"#88e688e6-6512-406f-9e88-a58e5d781ff0"</span>&gt;</span>
        <span class="code-tag">&lt;ds:Transforms&gt;</span>
           <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/&gt;</span>
        <span class="code-tag">&lt;/ds:Transforms&gt;</span>
        <span class="code-tag">&lt;ds:DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/&gt;</span>
        <span class="code-tag">&lt;ds:DigestValue&gt;</span>Cq3zl3t3DqWTvuZ+4EtZgGs4ikk=<span
class="code-tag">&lt;/ds:DigestValue&gt;</span>
      <span class="code-tag">&lt;/ds:Reference&gt;</span>
   <span class="code-tag">&lt;/ds:SignedInfo&gt;</span><span class="code-tag">&lt;ds:SignatureValue&gt;</span>NvcCS8vx3YJkc8fHMf8bQkC+lwasC6CwiS7HfKSm8t+6TtYdM7TRbYxSuqfCTkF4vBIldWIzl6UngON592FfJdbvrgE2CusCkIybrP7BBmP7zTSV0GjH4/60L6ObkhGPkMNoKzw4V+zgF7Zo+F7ngsz5ZUWZX/GWETmTtYtcfT0=<span
class="code-tag">&lt;/ds:SignatureValue&gt;</span>
   <span class="code-tag">&lt;ds:KeyInfo&gt;</span>
     <span class="code-tag">&lt;ds:X509Data&gt;</span>
       <span class="code-tag">&lt;ds:X509Certificate&gt;</span><span
class="code-tag"><span class="code-comment">&lt;!-- Omitted for brevity--&gt;</span></span><span
class="code-tag">&lt;/ds:X509Certificate&gt;</span>
     <span class="code-tag">&lt;/ds:X509Data&gt;</span>
     <span class="code-tag">&lt;ds:KeyValue&gt;</span>
      <span class="code-tag">&lt;ds:RSAKeyValue&gt;</span><span class="code-tag">&lt;ds:Modulus&gt;</span>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=<span
class="code-tag">&lt;/ds:Modulus&gt;</span>
       <span class="code-tag">&lt;ds:Exponent&gt;</span>AQAB<span class="code-tag">&lt;/ds:Exponent&gt;</span>
      <span class="code-tag">&lt;/ds:RSAKeyValue&gt;</span>
     <span class="code-tag">&lt;/ds:KeyValue&gt;</span>
   <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
   <span class="code-tag">&lt;ds:Object ID=<span class="code-quote">"88e688e6-6512-406f-9e88-a58e5d781ff0"</span>&gt;</span>

      <span class="code-tag">&lt;Book&gt;</span>
         <span class="code-tag">&lt;id&gt;</span>126<span class="code-tag">&lt;/id&gt;</span>
         <span class="code-tag">&lt;name&gt;</span>CXF<span class="code-tag">&lt;/name&gt;</span>
      <span class="code-tag">&lt;/Book&gt;</span>
   <span class="code-tag">&lt;/ds:Object&gt;</span>
<span class="code-tag">&lt;/ds:Signature&gt;</span>
</pre>
</div></div>

<p>This time the signature is enveloping the Book element using a ds:Object wrapper
which ds:Reference links to.</p>

<p>Server Configuration fragment is identical to the one shown in the Enveloped signatures
section.</p>

<p>Client code is nearly identical to the one shown in the Enveloped signatures section
except that XmlSigOutInterceptor need to have an additional property set:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">

<span class="code-comment">// add the interceptor dealing with adding a signature
</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span>
XmlSigOutInterceptor();
sigInterceptor.setStyle(<span class="code-quote">"enveloping"</span>);

</pre>
</div></div>

<h2><a name="JAX-RSXMLSecurity-Detachedsignatures"></a>Detached signatures</h2>

<p>Payload:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;env:Envelope <span class="code-keyword">xmlns:env</span>=<span
class="code-quote">"http://org.apache.cxf/rs/env"</span>&gt;</span>

  <span class="code-tag">&lt;Book ID=<span class="code-quote">"e9836bc2-cb5a-453f-b967-a9ddbaf9a6de"</span>&gt;</span>
    <span class="code-tag">&lt;id&gt;</span>125<span class="code-tag">&lt;/id&gt;</span>
    <span class="code-tag">&lt;name&gt;</span>CXF<span class="code-tag">&lt;/name&gt;</span>
   <span class="code-tag">&lt;/Book&gt;</span>
   <span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span
class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
     <span class="code-tag">&lt;ds:SignedInfo&gt;</span>
       <span class="code-tag">&lt;ds:CanonicalizationMethod Algorithm=<span class="code-quote">"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"</span>/&gt;</span>
       <span class="code-tag">&lt;ds:SignatureMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#rsa-sha1"</span>/&gt;</span>
       <span class="code-tag">&lt;ds:Reference URI=<span class="code-quote">"#e9836bc2-cb5a-453f-b967-a9ddbaf9a6de"</span>&gt;</span>
         <span class="code-tag">&lt;ds:Transforms&gt;</span>
           <span class="code-tag">&lt;ds:Transform Algorithm=<span class="code-quote">"http://www.w3.org/2001/10/xml-exc-c14n#"</span>/&gt;</span>
         <span class="code-tag">&lt;/ds:Transforms&gt;</span>
         <span class="code-tag">&lt;ds:DigestMethod Algorithm=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#sha1"</span>/&gt;</span>
         <span class="code-tag">&lt;ds:DigestValue&gt;</span>Pxz77Hlg6I/MRsJz4gixkaMFtYI=<span
class="code-tag">&lt;/ds:DigestValue&gt;</span>
       <span class="code-tag">&lt;/ds:Reference&gt;</span>
     <span class="code-tag">&lt;/ds:SignedInfo&gt;</span>
<span class="code-tag">&lt;ds:SignatureValue&gt;</span>JSwgiVqZT1EtJ9xqtb90juS54pvZguzFMne7cQyGMQDvBW7b65aAAIfVx/PmFB7Tuy4qB4zqNFCzCwHlhDurNP9NYB7PEzFsA3v3vSyEcHnpUhu41xmBvjT5HWEKbuzqX0dHekizuUefbfzG5WpluVPmOgjashrm9DIhfEf+Hyg=<span
class="code-tag">&lt;/ds:SignatureValue&gt;</span>
     <span class="code-tag">&lt;ds:KeyInfo&gt;</span>
      <span class="code-tag">&lt;ds:X509Data&gt;</span>
         <span class="code-tag">&lt;ds:X509Certificate&gt;</span><span
class="code-tag"><span class="code-comment">&lt;!--Omitted for Brewity--&gt;</span></span><span
class="code-tag">&lt;/ds:X509Certificate&gt;</span>
      <span class="code-tag">&lt;/ds:X509Data&gt;</span>
      <span class="code-tag">&lt;ds:KeyValue&gt;</span>
        <span class="code-tag">&lt;ds:RSAKeyValue&gt;</span>
          <span class="code-tag">&lt;ds:Modulus&gt;</span>vu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzs=<span
class="code-tag">&lt;/ds:Modulus&gt;</span>
          <span class="code-tag">&lt;ds:Exponent&gt;</span>AQAB<span
class="code-tag">&lt;/ds:Exponent&gt;</span>
        <span class="code-tag">&lt;/ds:RSAKeyValue&gt;</span>
      <span class="code-tag">&lt;/ds:KeyValue&gt;</span>
     <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
   <span class="code-tag">&lt;/ds:Signature&gt;</span>

    <span class="code-tag">&lt;saml2:Assertion <span class="code-keyword">xmlns:saml2</span>=<span
class="code-quote">"urn:oasis:names:tc:SAML:2.0:assertion"</span> <span class="code-keyword">xmlns:xs</span>=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema"</span> <span class="code-keyword">xmlns:xsi</span>=<span
class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span> ID=<span
class="code-quote">"_E462768C678896CE9913202742137181"</span> IssueInstant=<span
class="code-quote">"2011-11-02T22:50:13.718Z"</span> Version=<span class="code-quote">"2.0"</span>
xsi:type=<span class="code-quote">"saml2:AssertionType"</span>&gt;</span>

<span class="code-tag">&lt;saml2:Issuer&gt;</span>https://idp.example.org/SAML2<span
class="code-tag">&lt;/saml2:Issuer&gt;</span>

<span class="code-tag">&lt;ds:Signature <span class="code-keyword">xmlns:ds</span>=<span
class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
 &lt;!-- 
    Enveloped/embedded SAML Assertion XML Signature is omitted for brevity
    See the JAX-RS SAML section for more info
 --&gt;
<span class="code-tag">&lt;/ds:Signature&gt;</span>
<span class="code-tag"><span class="code-comment">&lt;!-- the rest of SAML
assertion --&gt;</span></span>
<span class="code-tag">&lt;/saml2:Assertion&gt;</span>
<span class="code-tag">&lt;/env:Envelope&gt;</span>
</pre>
</div></div>

<p>Note that the whole payload is enveloped by a configurable element wrapper. The Book
instance is one part of the envelope and it's signed by a detached signature (see the first
ds:Signature, with its ds:Reference linking to Book). The envelope also has an embedded SAML
assertion which has its own enveloped signature.</p>

<p>The instance of org.apache.cxf.rs.security.xml.XmlSigInHandler will handle a detached
XML signature of the Book XML fragment on the server side. See the <a href="/confluence/display/CXF20DOC/JAX-RS+SAML"
title="JAX-RS SAML">JAX&#45;RS SAML</a> for more info on how to deal with SAML
assertions.</p>

<p>Client code is nearly identical to the one shown in the Enveloped signatures section
except that XmlSigOutInterceptor need to have an additional property set:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">

<span class="code-comment">// add the interceptor dealing with adding a signature
</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span>
XmlSigOutInterceptor();
sigInterceptor.setStyle(<span class="code-quote">"detached"</span>);

</pre>
</div></div>

<h2><a name="JAX-RSXMLSecurity-Customizingthesignature"></a>Customizing
the signature</h2>

<p>org.apache.cxf.rs.security.xml.XmlSigOutInterceptor manages the creation of the signature
on the client side.<br/>
The following properties can be set on it at the moment:</p>

<p>"style": possible values are "enveloped" (default), "enveloping" and "detached"<br/>
"envelopedName": only used with the "detached" style, default is "{<a href="http://org.apache.cxf/rs/env"
class="external-link" rel="nofollow">http://org.apache.cxf/rs/env</a>}Envelope"<br/>
"signatureAlgorithm": default is "http://www.w3.org/2000/09/xmldsig#rsa-sha1"<br/>
"digestAlgorithm": default is "http://www.w3.org/2000/09/xmldsig#sha1"</p>

<h1><a name="JAX-RSXMLSecurity-XMLEncryption"></a>XML Encryption</h1>

<p>Encrypting XML payloads makes it possible to drop a requirement for HTTPS.</p>

<p>Here is a payload example:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;xenc:EncryptedData <span class="code-keyword">xmlns:xenc</span>=<span
class="code-quote">"http://www.w3.org/2001/04/xmlenc#"</span>&gt;</span>
  <span class="code-tag">&lt;xenc:EncryptionMethod Algorithm=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#aes128-cbc"</span>/&gt;</span>
  <span class="code-tag">&lt;ds:KeyInfo <span class="code-keyword">xmlns:ds</span>=<span
class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>&gt;</span>
    <span class="code-tag">&lt;ds:RetrievalMethod Type=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#EncryptedKey"</span>/&gt;</span>
    <span class="code-tag">&lt;xenc:EncryptedKey Id=<span class="code-quote">"EK-B353DDCEE7C575B6A213203188664772"</span>&gt;</span>
      <span class="code-tag">&lt;xenc:EncryptionMethod Algorithm=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"</span>/&gt;</span>
        <span class="code-tag">&lt;ds:KeyInfo&gt;</span>
            <span class="code-tag">&lt;ds:X509Data&gt;</span>
               <span class="code-tag">&lt;ds:X509Certificate&gt;</span><span
class="code-tag"><span class="code-comment">&lt;!-- Omitted for brevity --&gt;</span></span><span
class="code-tag">&lt;/ds:X509Certificate&gt;</span>
           <span class="code-tag">&lt;/ds:X509Data&gt;</span>
        <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
        <span class="code-tag">&lt;xenc:CipherData&gt;</span><span
class="code-tag">&lt;xenc:CipherValue&gt;</span>tPtZz4pnVWquaV2a7O0y+VrHoeWwk3Eu5Jnu3RHz5rGDB/MLyG6rBamhit03J2xWaV52zUtDAPEj8sr4oy5y2KLB09Hu317IbQjinePabUpd+DLnwNn5iHZpHWJPfndkh07JdYZSrMwqOvJ3fqrNJ+LQeLzZDneT8sC1vRyhSDU=<span
class="code-tag">&lt;/xenc:CipherValue&gt;</span>
        <span class="code-tag">&lt;/xenc:CipherData&gt;</span>
    <span class="code-tag">&lt;/xenc:EncryptedKey&gt;</span>
  <span class="code-tag">&lt;/ds:KeyInfo&gt;</span>
  <span class="code-tag">&lt;xenc:CipherData&gt;</span>
     <span class="code-tag">&lt;xenc:CipherValue&gt;</span>3ZPQ3SapAxemJwqG58sWh+r8B5SMRf/DZ2w/REswgl0zr8kpk0x4tayC5hl7IbSE8CPQYYHX8sXVnUFUoHOtJA==<span
class="code-tag">&lt;/xenc:CipherValue&gt;</span>
  <span class="code-tag">&lt;/xenc:CipherData&gt;</span>
<span class="code-tag">&lt;/xenc:EncryptedData&gt;</span>
</pre>
</div></div> 

<p>Here is a server configuration fragment:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span>
class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/&gt;</span>
<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/&gt;</span>

<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlEncHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlEncInHandler"</span>/&gt;</span>
    
<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/xmlsig"</span>&gt;</span>

    <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
      <span class="code-tag">&lt;ref bean=<span class="code-quote">"serviceBean"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
    <span class="code-tag">&lt;jaxrs:providers&gt;</span>
       <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlEncHandler"</span>/&gt;</span>
       <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlSigHandler"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:providers&gt;</span> 
     <span class="code-tag">&lt;jaxrs:properties&gt;</span>
           &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>

                  value=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>/&gt;
           &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>

                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/bob.properties"</span>/&gt;
           &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>

                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>/&gt;
      
     <span class="code-tag">&lt;/jaxrs:properties&gt;</span> 
<span class="code-tag">&lt;/jaxrs:server&gt;</span>

</pre>
</div></div>

<p>This configuration supports receiving signed and then encrypted XML payloads.</p>

<p>The code:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-object">String</span> address = <span class="code-quote">"https:<span
class="code-comment">//localhost:8080/xmlencryption/bookstore/books"</span>;
</span>JAXRSClientFactoryBean bean = <span class="code-keyword">new</span>
JAXRSClientFactoryBean();
bean.setAddress(address);

<span class="code-comment">// setup properties
</span>Map&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt;
properties = <span class="code-keyword">new</span> HashMap&lt;<span class="code-object">String</span>,
<span class="code-object">Object</span>&gt;();

properties.put(<span class="code-quote">"ws-security.callback-handler"</span>,

               <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>);
properties.put(<span class="code-quote">"ws-security.encryption.username"</span>,
<span class="code-quote">"bob"</span>);
properties.put(<span class="code-quote">"ws-security.encryption.properties"</span>,

                       <span class="code-quote">"org/apache/cxf/systest/jaxrs/security/bob.properties"</span>);

<span class="code-comment">// <span class="code-keyword">if</span> signature
required: 
</span>properties.put(<span class="code-quote">"ws-security.signature.username"</span>,
<span class="code-quote">"alice"</span>);
properties.put(<span class="code-quote">"ws-security.signature.properties"</span>,

               <span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>);

bean.setProperties(properties);

<span class="code-comment">// <span class="code-keyword">if</span> signature
required: add the interceptor dealing with adding a signature
</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span>
XmlSigOutInterceptor();
bean.getOutInterceptors().add(sigInterceptor);

<span class="code-comment">// add the interceptor dealing with the encryption
</span>
XmlEncOutInterceptor encInterceptor = <span class="code-keyword">new</span> XmlEncOutInterceptor();
encInterceptor.setSymmetricEncAlgorithm(<span class="code-quote">"http:<span class="code-comment">//www.w3.org/2001/04/xmlenc#aes128-cbc"</span>);
</span>bean.getOutInterceptors().add(encInterceptor);

       
<span class="code-comment">// use WebClient (or proxy) as usual
</span>WebClient wc = bean.createWebClient();
Response r = wc.post(<span class="code-keyword">new</span> Book(<span class="code-quote">"CXF"</span>,
126L), Book.class);
assertEquals(200, r.getStatus());
</pre>
</div></div>

<p>Note that XmlEncOutInterceptor interceptor has a "symmetricEncAlgorithm" property
set to a weaker type just to get CXF tests passing.</p>

<p>The actual application client code does not expect a payload such as Book back but
if it did then configuring the server to encrypt the response would be straightforward:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span>
class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.BookStore"</span>/&gt;</span>
<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlSigHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlSigInHandler"</span>/&gt;</span>

<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlEncHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlEncInHandler"</span>/&gt;</span>
    
<span class="code-tag">&lt;bean id=<span class="code-quote">"xmlEncOutHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.xml.XmlEncOutInterceptor"</span>&gt;</span>
        <span class="code-tag">&lt;property name=<span class="code-quote">"symmetricEncAlgorithm"</span>
value=<span class="code-quote">"aes128-cbc"</span>/&gt;</span>
<span class="code-tag">&lt;/bean&gt;</span>

<span class="code-tag">&lt;jaxrs:server address=<span class="code-quote">"/xmlsig"</span>&gt;</span>

    <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
      <span class="code-tag">&lt;ref bean=<span class="code-quote">"serviceBean"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
    <span class="code-tag">&lt;jaxrs:providers&gt;</span>
       <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlEncHandler"</span>/&gt;</span>
       <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlSigHandler"</span>/&gt;</span>
    <span class="code-tag">&lt;/jaxrs:providers&gt;</span> 
    <span class="code-tag">&lt;jaxrs:outInterceptors&gt;</span>
        <span class="code-tag">&lt;ref bean=<span class="code-quote">"xmlEncOutHandler"</span>/&gt;</span>
     <span class="code-tag">&lt;/jaxrs:outInterceptors&gt;</span>
     <span class="code-tag">&lt;jaxrs:properties&gt;</span>
         &lt;entry key=<span class="code-quote">"ws-security.callback-handler"</span>

                  value=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>/&gt;
         &lt;entry key=<span class="code-quote">"ws-security.encryption.properties"</span>

                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/bob.properties"</span>/&gt;
     <span class="code-tag">&lt;/jaxrs:properties&gt;</span> 
<span class="code-tag">&lt;/jaxrs:server&gt;</span>
</pre>
</div></div>

<p>Note the addition of a bean with id "xmlEncOutHandler", this example also shows that
the encryption properties can be used to validate the incoming signature as well which just
simplifies the configuration a bit. Now the client code can be updated to expect an ecryped
Book back:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-object">String</span> address = <span class="code-quote">"https:<span
class="code-comment">//localhost:8080/xmlencryption/bookstore/books"</span>;
</span>JAXRSClientFactoryBean bean = <span class="code-keyword">new</span>
JAXRSClientFactoryBean();
bean.setAddress(address);

<span class="code-comment">// setup properties
</span>Map&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt;
properties = <span class="code-keyword">new</span> HashMap&lt;<span class="code-object">String</span>,
<span class="code-object">Object</span>&gt;();

properties.put(<span class="code-quote">"ws-security.callback-handler"</span>,

               <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>);
properties.put(<span class="code-quote">"ws-security.encryption.username"</span>,
<span class="code-quote">"bob"</span>);
properties.put(<span class="code-quote">"ws-security.encryption.properties"</span>,

                       <span class="code-quote">"org/apache/cxf/systest/jaxrs/security/bob.properties"</span>);

bean.setProperties(properties);

<span class="code-comment">// <span class="code-keyword">if</span> signature
required: add the interceptor dealing with adding a signature
</span>XmlSigOutInterceptor sigInterceptor = <span class="code-keyword">new</span>
XmlSigOutInterceptor();
bean.getOutInterceptors().add(sigInterceptor);

<span class="code-comment">// add the interceptor dealing with the encryption
</span>
XmlEncOutInterceptor encInterceptor = <span class="code-keyword">new</span> XmlEncOutInterceptor();
encInterceptor.setSymmetricEncAlgorithm(<span class="code-quote">"http:<span class="code-comment">//www.w3.org/2001/04/xmlenc#aes128-cbc"</span>);
</span>bean.getOutInterceptors().add(encInterceptor);

       
<span class="code-comment">// use WebClient (or proxy) as usual
</span>WebClient wc = bean.createWebClient();
Book book = wc.post(<span class="code-keyword">new</span> Book(<span class="code-quote">"CXF"</span>,
126L), Book.class);
assertEquals(<span class="code-quote">"CXF"</span>, book.getName());
</pre>
</div></div> 

<h2><a name="JAX-RSXMLSecurity-Customizingtheencryption"></a>Customizing
the encryption</h2>

<p>org.apache.cxf.rs.security.xml.XmlEncOutInterceptor manages the encryption process.<br/>
The following properties can be set on it at the moment:<br/>
"symmetricEncAlgorithm": default is "http://www.w3.org/2001/04/xmlenc#aes256-cbc", complete
URIs or short identifiers are supported, for example,<br/>
                         "aes128-cbc" or "http://www.w3.org/2001/04/xmlenc#aes256-cbc". <br/>
"keyEncAlgorithm": default is "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"<br/>
"keyIdentifierType": default is "X509_KEY", "X509_ISSUER_SERIAL" is also supported - useful
when the whole x509Certificate should not be embedded </p>

<h1><a name="JAX-RSXMLSecurity-Interoperability"></a>Interoperability</h1>

<p>The payloads containing the enveloping XML Signatures are structured according to
the XML Signature specification and as such can be consumed by any XML Signature aware consumers
capable of handling the enveloping signatures and extracting the signed payload. </p>

<p>Same applies to enveloped signatures, for example, a signed SAML assertion always
contains an enveloped signature.</p>

<p>The way CXF creates detached XML Signatures is experimental, so at the moment CXF
will be required on both ends for the detached signatures be created and validated.</p>

<p>The current XML Encryption support is in line with the specification and thus the
capable non-CXF consumers will be able to decrypt the payloads.  </p>
    </div>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href="https://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
        </div>
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security">View
Online</a>
        |
        <a href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=27830245&revisedVersion=6&originalVersion=5">View
Changes</a>
                |
        <a href="https://cwiki.apache.org/confluence/display/CXF20DOC/JAX-RS+XML+Security?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

Mime
View raw message